SAMBA+ 4.12.2, 4.11.8 and 4.10.15 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.
The packages address the following issues:
CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server.
CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV.
Also, SAMBA+ Long Term Support packages for the SAMBA+ LTS 4.9, 4.8 and 4.7 release series including the fix for CVE-2020-10704 are available now. These Samba versions are not affected by CVE-2020-10700.
SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.